Byron Acohido

Throughout the 2012 holiday shopping blitz in the United States, cybergangs are expected to unleash a variety of old and new internet-based scams to steal identities and hijack online accounts.

"This is prime time for cybercriminals," says Brendan Ziolo, vice-president at security company Kindsight.

The crooks' incentive? Some 41 per cent of consumers plan to use their PCs, tablets and smartphones to shop online, up from 37 per cent last year, according to PriceGrabber.

Advertisement

That means millions of people will be using computers at home and work to shop for gifts. What's more, roughly half of them use web browsers lacking the latest security patches, making them prime targets for computer infections that saturate the web.

"Users of all major browsers are using outdated software containing known vulnerabilities," says Wolfgang Kandek, chief technical officer at patch management company Qualys.

Qualys recently analysed more than 1 million internet-connected Microsoft Windows PCs and Macs. It found 56 per cent of users of Microsoft's Internet Explorer surfed the internet using an older version of the popular web browser carrying widely known security flaws. Hackers are expert at tapping into such flaws to seed infections.

Some 49.2 per cent of users of Mozilla's Firefox, 47.5 per cent of Google's Chrome and 37.4 per cent of Apple's Safari also used browser versions lacking the latest security updates. Using an outdated browser – and clicking on a web page booby-trapped with a hidden virus – can turn control of your computer over to an intruder.

Last month, antivirus company Avast identified more than 52,000 American web domains containing at least one infected web page; that was up from 50,000 infected domains in September and 46,000 in August.

"Sometimes it could be several infected pages on each domain," said Avast researcher Milos Korenko. "Not only porn sites and other dodgy sites – many were perfectly legitimate websites."

Professional cybergangs in Russia and Eastern Europe are steering victims to these booby-trapped web pages via:

Cybercriminals take full advantage of the lax attitude towards privacy fostered by social networks, says Mark Patton, manager of the security business unit at GFI Software. This time of year, tainted web links proliferate on Facebook wall postings, get embedded in Tweets and show up associated with YouTube videos.

"You could easily foresee a scenario where a holiday-decorating tutorial on YouTube could play host to nasty embedded links," Mr Patton says.

Search queries

Search Engine Optimisation, or SEO, refers to techniques used by media companies and advertisers to get their web links ranked highly in response to specific search queries. Crime gangs have become expert at using SEO tactics to boost the rankings of "poisoned" search results directing victims to tainted web pages.

Analysis of web traffic from more than 75 million users on home and corporate networks conducted by Blue Coat Security Labs found criminals are poisoning Google and Bing search results four times as often as sending out viral e-mail.

Criminals are certain to aim poisoned results at shopping-related queries. "By getting high rankings for pages that are actually infected, they increase the likelihood of leading victims to their infected pages," says Proofpoint security blogger Keith Crosley.

Mobile devices

Online transactions conducted via iPhones have increased 11 per cent so far in November compared with the same period a year ago; for Windows smartphones, transactions are up 53 per cent and for Android 7 per cent, according to analysis of 40 million mobile devices by security company ThreatMetrix.

"The uptick in mobile usage has increased the risk of fraud," Mr Faulkner says.

Android smartphone users should be especially wary of free apps and unsolicited text messages, says Bitdefender's Cosoi. One, called ZitMo, intercepts text messages and e-mails containing bank authentication tokens and is designed to help thieves gain control over online bank accounts, he says.

Using a debit card is unwise, he says, because it can give thieves direct access to your personal checking account. One other piece of advice: "Think before you click," Bunge cautions. "If it seems too good to be true, it probably is."